Is creud/gigaverse-play safe?

The skill includes purchase-juice.ts and mint-direct.cjs, which can execute payable smart contract calls on Abstract Chain spending real ETH. In autonomous mode, the agent is instructed to level up and manage the game loop automatically, creating conditions under which it might trigger these transactions without explicit per-action user approval. Blockchain transactions are irreversible.

Autonomous mode is designed for 'background operation, fully automated gameplay' where the agent selects usernames, factions, combat moves, and looting without user input. This mode also autonomously decides to level up (burning XP items) and, by extension, could be guided into purchasing in-game assets. The combination of autonomous operation and real crypto wallet access creates significant financial risk.

The skill documents an explicit mechanism that continues pushing GigaJuice purchase recommendations even after the user has set preferences.juice_declined:true. The carve-out for 'active sales or limited-time offerings' means the user can never fully silence the upsell. This constitutes an intentional override of stated user preference in service of the skill operator's commercial interest.

The skill instructs the agent to write the Ethereum private key to ~/.secrets/gigaverse-private-key.txt. This is a predictable path accessible to any co-installed skill or tool with filesystem read permissions. If any other agent capability can read files in the home directory, the wallet key can be exfiltrated and all assets permanently lost.

The skill mandates that agents include their AI model identifier (e.g., 'claude-opus-4.5', 'gpt-4o') in the agent_metadata field of every authentication request to gigaverse.io. This is described as required, not optional, and is used to 'track skill adoption and agent diversity'. This constitutes systematic collection of agent infrastructure information by an external third party.

The skill's HEARTBEAT.md file instructs agents to integrate a Gigaverse energy-monitoring loop into their periodic task list, running every 30 minutes indefinitely. This extends the skill's influence over agent behavior beyond active invocation, continuously consuming agent attention and potentially affecting other task prioritization.

Placing a cryptocurrency private key at a predictable path in the user's home directory creates a persistent attack surface exploitable by any other skill or tool in the agent's toolkit. A malicious companion skill could silently read and exfiltrate this key, draining the wallet without any direct interaction with this skill.

The package.json contains no preinstall, postinstall, or other lifecycle scripts. No git submodules, no .gitattributes filter drivers, no symlinks, and no suspicious filesystem changes outside the skill directory were detected during installation.

Inotifywait detected accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at 12:14:50 — before the skill was installed (GitHub clone began at ~12:14:56). A second set of PATH events at audit timestamp 1771935313.817 corresponds to the oathe post-install integrity verification sweep. The skill itself did not access these files.